backfill: build v0.0.5-alpha and push to ACR

chriscpaul · Copilot · chriscpaul · commit a8d496232a93 · 2026-06-12T14:21:41.000-04:00
Build from the exact commit that produced v0.0.5-alpha and publish
to ACR with attestation. This branch can be deleted after the
backfill completes.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/release_acr.yaml b/.github/workflows/release_acr.yaml
@@ -0,0 +1,52 @@
+name: Backfill v0.0.5-alpha to ACR
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - backfill-acr-v0.0.5-alpha
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    name: Build and Release OCI Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Log in to Azure Container Registry (ACR)
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ${{ secrets.ACR_MODA_REGISTRY }}
+          username: ${{ secrets.ACR_MODA_USER }}
+          password: ${{ secrets.ACR_MODA_TOKEN }}
+
+      - name: Build and push Docker image to ACR
+        id: build
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: ${{ secrets.ACR_MODA_REGISTRY }}/artifact-attestations-opa-provider:v0.0.5-alpha
+          platforms: linux/amd64,linux/arm64
+
+      - name: Attest build provenance for ACR
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-name: ${{ secrets.ACR_MODA_REGISTRY }}/artifact-attestations-opa-provider
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
